Chip-and-PIN credit cards are very common in the UK, and they’re on the rise in the US, as well—they’re generally considered to be both more convenient and more secure than the long-used American signature cards. However, a team of researchers at Newcastle University recently performed some alarming experiments that has some chip-and-PIN card carriers worried. It’s time to learn the facts and protect yourself.

In general, this is totally fine. Banks and card issuers generally don’t require a PIN for small purchases (usually those up to £20), and everybody is happy. PINs are required for larger purchases, reducing the likelihood of fraud. There’s also a limit on offline transactions—those that are authorized by the card, but not processed by the bank until later—of £100. Unfortunately, the system doesn’t quite work as planned.

Tricking The Tech

The team at Newcastle University found an interesting way around the safeguards put in place by Visa and detailed it in their paper, “Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN.” They found that these safeguards are fooled by foreign transactions, and will generally let a terminal make a charge on the card that contains up to eight digits, which could potentially amount to $999,999.99 or €999,999.99. Presumably this is to allow for foreign transactions to be made with currencies that require large amounts, like Japanese yen, South Korean won, or the Indonesian rupiah.

Unfortunately, the chip in the card doesn’t know if it’s in Japan, South Korea, Indonesia, or a supermarket in London. It also doesn’t know the difference between a retailer’s contactless terminal and a hacked terminal that can be carried in a pocket. You might think that it’d be difficult to carry around a hacked terminal in a pocket, but the team at Newcastle managed to do it by writing an app for NFC-enabled Android phones. All the thief has to do is wave the card over your wallet if it’s sitting on the table, or bump into you so the phone gets close enough to the card in your pocket—it’s a lot like a drive-by NFC hackHow Does A Drive-By NFC Hack Work?How Does A Drive-By NFC Hack Work?Read More.

Not only does this method bypass the £20 limit, but it also bypasses the offline transaction limit of £100, meaning the thief can be far away from you when the transaction goes through—so even if you do get a text message from your bank saying that a suspicious transaction has been detected, you’ll have no idea where you were when the thief hit you.

The authors of the paper say that if someone were to take advantage of this weakness in the system, they likely wouldn’t be able to get $999,999.99, as that would set off other alarms at the bank (unless, of course, you’re one of those people who regularly spends over a million bucks on their credit card). Even if they’re able to get £50 off of each person they bump into, though, that could add up to a huge amount of money. How many people do you regularly bump into on the Tube, or walking down a crowded high street?

Protecting Yourself

The authors of the paper recommend a few different things that Visa should do to protect their customers from these sorts of attacks, like always requiring a PIN or online verification before the processing of a transaction in a foreign currency. Visa responded to this study by saying that they have other safeguards in place and that this won’t be a problem (but we’ve heard things like that before). Until Visa makes specific fixes, it’s a good idea to protect yourself.

The easiest way to avoid this problem is also the simplest: don’t use contactless cards. If your bank offers you a choice, just choose the non-contactless option. Pretty simple. You can also request that your bank disallow payments in foreign currencies on your card if you don’t travel often. If you choose either of these options, you won’t have to worry at all.

Whether or not Visa is telling the truth about their other safeguards catching an attack like this—and whether or not RFID-blocking wallets really do their job—it’s important to be aware of potential threats like this. Contactless cards are really useful, but they haven’t been around in large numbers all that long, so we still need a bit of time to get them all figured out.

What do you think of this threat? Are you worried about the security your contactless cards? Do you use a contactless card or an RFID-blocking wallet? Share your thoughts below!

I use a metal wallet. The only problem is that in spite of TV ads, it is not capacious enough. I have to leave some of the less used cards at home. I also have to carry cash in a money clip, rather than in my wallet.

My wife has an aluminium foil-lined partition in her wallet for her cards.

It is not only credit cards that need to be safeguarded. Any cards with magnetic strips or RFID chips need also be protected.

The metal wallets that I've seen haven't looked very big—I would imagine that they could get pretty bulky and maybe heavy if they were big enough to carry all of the cards that you wanted . . . though it would be nice to have the option. Are mag stripes susceptible to a similar type of attack? I've never heard of that before.

Interesting to see that Visa had not found a solution to a potential problem before issuing such cards.

While in France last month, I tried to pay a bill with my regular Visa card. The waitress had a difficult time trying to use the card with the little machine she brought to the table. A gentleman at the next table explained to her that she needed to swipe the card in the slot on the machine. It appears most of the cards in Arles are chip based. Not as described above, however.

I would imagine that Visa was pretty keen on getting their cards out into consumer hands as fast as possible. It is interesting that MasterCard seems to have headed this problem off, though, while Visa didn't.

And yes, most cards in Europe are chip-and-PIN, and have been for a while. My father had the same problem with a server not knowing what to do with a mag stripe card! I'm not sure what you mean by "Not as described above, however."

Dann is a freelance journalist interested in technology, health, and cognitive science. When he's not writing, he's almost certainly playing board or card games (or working on a forthcoming book about them). Follow him on Twitter at @dann_albright.